Krotten
Krotten is a ransomware of Russian origin. It is known for being very unique, because of what the ransomware can perform on a system. Payload Transmission Krotten is distributed as a program which would generate codes to top up mobile phones. It was placed on a site located in Russia which was hosted free of charge. The site states that the code generator was developed by Ukrainian hackers, mentions that the program will work for ‘nearly all Ukrainian mobile service providers’ and guarantees a 100% result. Infection When the virus is first executed, it brings up a dialog box with Russian text, that translates roughly to "All is ready" in the title, and the message says "Restart your computer, and read what needs to be done. Email the program developers at wordsia@notrix.de" . At the same time, the virus disables task manager, regedit, My computer, control panel, the ability to see the C drive, the ability to shut down properly, the run dialog, and many more functions. Upon restart, the desktop background is shifted to the bottom right corner, and the user can't do much anymore. The clock is changed to say "хуй" (the word "dick" in Russian). All the user can really do is run Command Prompt It should be noted that in Windows Vista and above, the user must grant the virus administrative priviliges in order for all these payloads to work. If no administrative access is granted, only the background shifting and changing of the clock payloads will be functional. Removal This virus is notorious because of how destructive it is. It is near impossible to remove without reinstalling Windows, so if the user have found themself to be an unlucky victim of this ransomware, it is probably the best to back their data up and reinstall Windows. However, for those interested, most of this virus can be removed. It will be different depending on if the user is using Windows XP and below, or Windows Vista and above Windows XP and below Open command prompt, and type the following command: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f After that, type: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f Running these commands will delete the keys that block regedit and task manager. Now, the user will be able to run regedit without getting the infamous "Registry editing has been disabled by your administrator" error message. Now, Navigate to 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies'. Delete every subkey in this key. Now, navigate to 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'. Delete any keys that look suspicious here 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies' and delete every subkey from there. Now, Navigate to 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. Delete any suspicious looking values from here. This will mostly restore full functionality, but to remove everything, save the personal files to a folder in the C drive. Then open up a Command Prompt, and type: 'net user administrator /active:yes' Now, logout of the account, and log on to the administrator account. Navigate to Start>Control Panel>User Accounts. Find the account, and click "Delete This Account". Once this account is deleted, make a new user account. Now, Log out out of the administrator account, and log in with the newly made account. If the user wanst to hide the administrator account, Run this command in Command Prompt: 'net user administrator /active:no' Windows Vista and above Due to the new User account control and better file protection protocols, removing this virus in Windows Vista onwards is more difficult. First, the computer will need to boot into the OS install disk, then click "Repair your computer" in the bottom right" In Windows Vista and Windows 7, this will bring the user to a screen that will scan for Windows installs. Once it finds one, select the Windows install, and click next. This will bring the user to the advanced options screen. On Windows 8 and Windows 10, clicking "Repair your computer" brings the user to a screen with several options. Click on the button that says "Advanced options". Now, for all versions, click the "Command Prompt" button. In this window, type 'rename sethc.exe oldsethc.exe', then 'copy cmd.exe sethc.exe'. now, exit the installer and boot back into Windows. Once the user has logged in, press shift 5 times, and a command prompt will open, but don't run the removal commands yet, because it will give the user a bunch of "access denied" errors, because Windows Vista onwards need administrative privileges to run the necessary commands. Type "explorer.exe C:\Windows\System32". This will open up an explorer window. Now, Scroll down until "cmd.exe" is visible. Now right click on that, and click "Run as Administrator". Click "Yes" or "Continue" to the UAC prompt. Once this window opens, type: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f After that, type: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f Running these commands will delete the keys that block regedit and task manager. Now, the user will be able to run regedit without getting the infamous "Registry editing has been disabled by your administrator" error message. Now, Navigate to 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies'. Delete every subkey in this key. Now, navigate to 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'. Delete any keys that look suspicious here 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies' and delete every subkey from there. Now, Navigate to 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'. Delete any suspicious looking values from here. This will mostly restore full functionality, but to remove everything, save the personal files to a folder in the C drive. Then open up an Administrator Command Prompt, and type: 'net user administrator /active:yes' Now, logout of the account, and log on to the administrator account. Navigate to Start>Control Panel>User Accounts. Find the account, and click "Delete This Account". Once this account is deleted, make a new user account. Now, Log out out of the administrator account, and log in with the newly made account. If the user wants to hide the administrator account, Run this command in an Administrator Command Prompt: 'net user administrator /active:no' For all Versions, Of course, it is always best to run a proper anti-virus scan, just in case there are any left over remnants of the virus. Category:Microsoft Windows Category:Win32 Category:Ransomware Category:Win32 ransomware Category:Win32 trojan Category:Trojan Category:Virus Category:Win32 virus